Backend on server keeps getting corrupt

I built an access database. It was originally meant to be for 6 people but I see that it’s up to about 20, so that could be the problem. Anyway, the backend gets corrupted a couple of times a day. It is usually possible to resolve this by opening the backend at which point it offers to fix it and usually does so.

The database is not particularly complicated (I don’t think) but it does have some VBA.

The basic idea of the database is that we are tracking lots that need to move through a set of processes but that get broken up. So we might receive 1000 items, and then have 300 of them go to prescreening, and later another 100, and so on through all the about 8 steps.

The way I’ve done this (which I’d be happy to change – I just don’t know what to change) is to have a small submission table, which tracks the lots as they come in, and a larger table (called preorder for reasons which don’t matter) which tracks the line items.

The preorder table has quite a large number of fields (about 75). But of importance to this is the quantity field and the status field. The status field tracks the items through the process (so from step 1=Receiving to 8=Shipping or whatever). The quantity tracks how many of this particular item there are from this batch with the other properties at this status.

Then there are forms for each of these steps with very similar VBA behind them. One of the fields will be basically "quantity to move to the next step" (this is one of the fields in the preorder table that is initially defaulted to 0). The user fills in this quantity (and some additional information potentially) and presses a button to process the step.

The VBA:

  1. opens a recordset (rs) for the preorder table where the status is 1 (say) and the quantity to go to the next step is >0.
  2. It also opens an appendonly recordset of the preorder table (rs2).
  3. Then it goes through the records in rs, adjusts the quantity down, and appends a new copy of the record with the new quantity and an updated status.

The below is an example from one of the screens. Others are similar, although there are some nuances baked in that may or may not be important.

```Private Sub btnProcess_Click()     DoCmd.Hourglass True     Dim db As Database     Dim rs As DAO.Recordset     Dim rs2 As DAO.Recordset     Set db = CurrentDb     Set rs = db.OpenRecordset("SELECT * FROM tblPreorder " & _                             "WHERE (((tblPreorder.StatusID)=1) AND ((tblPreorder.PSQuantity)>0));", dbOpenDynaset, dbFailOnError)     If rs.EOF Then         MsgBox "No records found for processing"         rs.Close         DoCmd.Hourglass False         Exit Sub     End If     Set rs2 = db.OpenRecordset("tblPreorder", dbOpenDynaset, dbAppendOnly)     rs.MoveFirst     Do Until rs.EOF         myQuantity = rs("Quantity").Value         PSQuantity = rs("PSQuantity").Value         rs2.AddNew         For Each fld In rs.Fields             SFld = fld.Name 'to catch special fields             Select Case SFld                 'special cases                 Case "ID":  'do nothing                 Case "Quantity":                     rs.Edit                     rs(SFld).Value = myQuantity - PSQuantity                     rs.Update                     rs2(SFld).Value = PSQuantity                 Case "Comment":                     If Len(Trim(rs("PSComment")) > 0) Then                         rs2(SFld).Value = Trim(rs("Comment")) & vbCrLf & Trim(rs("PSComment"))                     Else                         rs2(SFld).Value = rs(SFld)                     End If                 Case "StatusID":                     rs2(SFld).Value = 2 'Changes the status from 1 to 2                 Case "DateChanged":                     rs2(SFld).Value = Now()                 Case "EmployeeID":                     rs2(SFld).Value = UserID()                 Case "Location":                     If rs("PSLocation") <> "" Then                         rs2(SFld).Value = rs("PSLocation")                     End If                 Case "PSDate":                     rs2(SFld).Value = Now()                 Case "PSEmployeeID":                     rs2(SFld).Value = UserID()                 Case "PSQuantity":                     rs.Edit                     rs(SFld) = 0                     rs.Update                     rs2(SFld) = 0                 Case "ReleasedFiles": 'do nothing                 Case Else:                     rs2(SFld).Value = fld.Value             End Select         Next fld         rs2.Update         rs.MoveNext     Loop     rs.Close     rs2.Close     c = Me.CurrentRecord     Me.Requery On Error Resume Next:     DoCmd.GoToRecord acDataForm, Me.Name, acGoTo, c     MsgBox "Items moved to BNC Request"     DoCmd.Hourglass False End Sub''' 

My questions:

  1. If you see anything obviously wrong, of course, let me know. It works like a charm when it’s just me testing it. I’ve never managed to replicate the issue, but I can see that it’s happening in the production version.
  2. I’ve followed the advice on a couple of websites on avoiding this (e.g. https://www.techrepublic.com/article/get-it-done-top-10-ways-to-prevent-access-database-corruption/). I’m basically tinkering and trying things because I don’t fundamentally know what the issue is. E.g. I switched from recordset to DAO.recordset in the above code. It didn’t seem to make a difference, so I might go back. Everyone is using Access 2010 and the backend is Access 2010 so it seemed to make sense to use an Access specific recordset. I close all the recordsets (rs.close); I compile the VBA; I have saved the frontend as an accde; All users use the accde from their own computers; All users are using wired connections; I have version control so everyone is using the latest frontend.
  3. The main question, I suppose: How can I diagnose this? I could easily imagine putting a new table in to track who’s hitting the process button and when and which one. I’m probably going to do that to see what happens in the lead up to a corruption. But what are your recommendations for what to track and are there any other tricks and tips to get to the root of this?

Code specific questions:

  1. Recordset or DAO.Recordset or some other thing?
  2. dbFailOnError or dbSeeChanges or some other thing?
  3. rs.Edit … rs.Update on the couple of fields that get updated as I loop (current code)? Or one rs.Edit … rs.Update on either side of the loop?
  4. Should I be putting a manual hold or something to prevent people from running similar code simultaneously? It offends me a little to do so, since I kind of imagine that the people who make MS Access will do a better job than me at that sort of thing. But I could probably set a flag somewhere that literally makes people wait their turn. I’d still be worried about a race condition.

Wider database questions:

  1. Are there other secret settings that need to be adjusted to minimize this issue? Everyone is using MS Access 2010. Name AutoCorrect Options, Filter lookup options, caching, data type support options. I don’t really know what these do and I suspect there are gotchas everywhere! I had a similar database that I used for years without issue, so I was lulled into a false sense of security here.
  2. Have I structured this completely wrong? I’m okay to do a whole bunch of work – it would just be nice to have a good sense that it would solve the problem!

Thanks!

CSRF token not sent when calling the back-end?

My system composes of NuxtJs and AdonisJs application. Adonis handles csrf tokens for us by sending:

set-cookie: adonis-session=XXX; Path=/; HttpOnly set-cookie: XSRF-TOKEN=XXX; Max-Age=7200; Path=/; SameSite=Strict set-cookie: adonis-session-values=XXX; Path=/; HttpOnly 

Now from what I can see, it will set a cookie that can be sent only by a browser. And only if the host is the same. From my understanding, from that point on, browser is the one who will auto attach cookies like that to each request. The problem is, when Nuxt application is making an API request to the back-end I do not see any csrf token being sent when looking at the traffic trough BurpSuite.

And naturally adonis will reply with "Invalid CSRF Token", and respond with status code 500.

I’m not sure what am I missing, I fail to understand why browser is not sending that cookie. And just as the extra information I’ve failed to find it trough browser’s inspector window (Storage tab). Is it possible that the cookie is not set or?

I’ve seen other posts regarding this issue, but they where not helpful because the solution was composed of reading a cookie and manually sending it as the header. Which I do not advise, and is not the model I’m going to implement. I would rather leave it to the back-end framework and browser to do the job for me, because as we all know, there would be less room for me to make a mistake.

Thank you for reading this.

Getting and setting CSS variables with JQuery in WordPress backend fails

On a WordPress settings page of a plugin I develop, I have to implement a visual element that I want to change by JavaScript. I’ve got my solution working as it should and tested it on code-pen and JSFiddle. But when loading the equivilant code including the script, it will not work.

Here is the schema I’m using: HTML

<div id="origin" class="box"></div> <div id="target" class="box"></div> <button id="toggle-color">Toggle Color</button> 

CSS

:root {   --origin-color: red;   --target-color: blue; }  .box{   width: 150px;   height: 150px; }  #origin{   background-color: var(--origin-color); }  #target{   background-color: var(--target-color); } 

JS (jQuery 3.4.1)

(function( $   ) {     'use strict';     $  (document).ready(function(){               $  ('#toggle-color').on('click', function(event){         event.preventDefault();         var root = $  (":root");         var origin_color = '--origin-color';         var target_color = '--target-color';         var origin_value = root.css(origin_color);         var target_value = root.css(target_color);         root.css(origin_color, target_value);           root.css(target_color, origin_value);         return false;       });   });     })( jQuery ); 

The Problem I have is, that while it is working in test environments in the WordPress backend, the lines where I fetch the colors with

var origin_value = root.css(origin_color); var target_value = root.css(target_color); 

returns ‘undefined’, so the next line where I switch the colors fails.

See my example here: https://jsfiddle.net/tomybyte/hvbc3zu1/6/

I don’t understand why it is working in JSFiddle and code-pen but not when loading in WordPress (yes the code is loaded, I checked that!)

Why do CDNs allow arbitrary backend to be set, is it not a big security concern?

I found most CDNs allow the user to claim any domains to be the backend, I wonder why they do this instead of verifying if the user owns the backend domain. If I have myowndomain.com and set the backend to be facebook.com, wouldn’t it be an easier way to do attacks such as phishing? Of course, I still need to solve CORS, SOP, and Cookie related issues, but why do CDNs open the backend at the first place?

How to create custom backend admin menu in different languages?

So I’ve found absolutely nothing about this subject online.

What I’ve done: I successfully programmed a custom admin menu in english for my wordpress backend, according to https://webkul.com/blog/how-to-add-menu-in-wordpress-admin-panel/, so that’s all good.

What I need: If I change the language of the backend (via the user settings in the wordpress backend), every admin menu gets translated to the new (selected) language, except from my custom admin menu, which of course still appears in English. My question is: How / Where do I need to store custom admin menus in other languages, such that they also get their language changed according to the language selected for the backend ??

What is the name of the data structure that is a tree on the backend but has a list like API?

I’m looking for the name of a data structure. It is organized like a balanced tree. The elements need not be comparable. Instead of asking if the tree contains a thing (like you would with a collection of comparables), you can query for any k’th element in logarithmic time. You can insert before or after any k’th element. So the API is a bit like a list, except all operations are logarithmic.

I think “rope” might be similar but those seem to be restricted to strings only. It could be thought of as a segment tree, where every leaf has a weight of 1, but instead of storing the weights in the leaves the entry itself is stored.

Can backend verify mobile client using OpenID Connect?


Objective

My goal is to implement a generic mobile client and backend authentication flow, just for practice. Imagine that I am building a note app that stores user notes on the backend. Instead of implementing my own user management in my backend, I want to rely on some popular OIDC providers to authenticate users from my backend.

The important thing is I am not interested in accessing any user data that OIDC Provider offers. My goal is to verify the user and the client whenever something hits my backend.


My understanding of OIDC Authentication flow is as follows:

  • IdProvider: the oidc provider
  • MyClient: mobile application. has client_id
  • MyBackend: has client_secret

Steps:

  1. MyClient generates PKCE code challenge.
  2. IdProvider authenticates the user and MyClient receives a temporary authorization_code.
  3. (not sure on this) MyClient sends MyBackend both the temp authorization_code and the PKCE code verifier for token exchange.
  4. MyBackend does token exchange with the IdProvider.
  5. (also not sure on this) MyBackend sends id_token and refresh_token back to MyClient.

My justification on step 3 and 5 are this:

  • Only MyBackend can access client_secret. Therefore token exchange can only be done by MyBackend and MyClient is responsible for sending the temp authorization_code and the PKCE code verifier.
  • MyClient needs id_token to hit normal MyBackend endpoints. MyClient also needs refresh_token to initiate the token refresh flow in case id_token expires.

Problem

Now in above flow it looks like there is no way I can prevent an attacker from stealing the client_id and impersonate MyClient. I have tried to search for sample implementation on the internet but many of them simply rely on the client-side authentication only. For example, this one: https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo asks you to store client_secret in the client side.. I am not sure why this is acceptable and AWS even built a sample for it?

Any help would be appreciated.

Add customer note using order number on the admin backend

I am new to WordPress Plugin Development.

What I want:

To add a customer note using order number using php in the admin backend custom plugin.

What I know:

That we need to use WC_Order class and $ order->add_order_note().

What I cannot figure out:

How do I use the WC_Order class in the custom php page to get order details?(Do I really need to use this class? If so, then how do I use it in the php page of my custom plugin?)

In short I want to add a customer note by just using the Order Number and also get Order Status if possible.

Edit 1:

This is my plugin php code:

<div class="wrap">          <form method="POST" >           <input placeholder="Enter 3-digit Order Number" type="number" name="orderNumber"  maxlength="3">           <button class="button" value="Submit" onclick="Submit" >Add Customer Note</button>         </form>    <?php     wp_enqueue_style('wim_styles');     $  order_id= $  _POST['orderNumber'];     $  order = wc_get_order($  order_id);     echo "Order is ".$  order."order number is ".$  order_id." Status is ";     $  note = __("This is my note's text…");     $  order->add_order_note( $  note);     echo "Added note to order number:".$  order_id; ?> 

This throws following error:

Uncaught Error: Call to a member function add_order_note(). What am I doing wrong here? Please guide.

Can anyone identify the authentication backend used by a PHP website from the following URL?

Client POSTs creds, and if authenticated, server responds with a 302 redirect to an enormous path:

https://phpwebsite.com/login/auth/[encoded_data]

where encoded_data is either 811, or 726 characters long (for admins and unprivileged users respectively).

charset is [a-zA-z0-9_-] and looks like underscore/hyphen are being used to encode data rather than as separators. here are the first 80 characters from four authenticated requests:

kDXQCdyBLGeI6iffL7NCerz-2n7cqsQkAd--qu_cwaDku3u05mkOfLnhG0X0jhYj78VCulnaWX96Aaj3 O_sTfG87ndgFssFpZrQ1zIi7AXGs8ft-ufiRcs9tec0seoMnZuuvYexCmRONdhylx5mxy_QJw8qD04CM hY1YSR-1yT6Mr61HPd0sKHRsGpIHvfXCyvTreOza9hMMmROxv9RKdDY-4gb1z4IMAlGM0aaFqaCUv1VN qtFUBJtBT-6eL7Fxrj47H2ryTVe0uVLWHVxtxC-Xp0Hw2g-7gN_ovBi-e_i-iTHDAmbhNJkesk_7wxSI 

Client GETs the massive path string and server responds with a new, PHPSESSID cookie value for the authenticated session. I realise length, and the /login/auth/ component of the path could be variable (user-set), but I don’t know how it has been configured.